Undefined symbol _SecTrustCopyCertificateChain on macOS ARM64 with CGO

[ujaandas]

I've been running into a strange linker error over the past few days. It seems to involve some interaction between go-sqlite3 and the standard net/http package, though I can't pinpoint the exact cause. I feel like it might be environment-related, but I’m not sure what specifically is misconfigured.

The error is as follows:

# command-line-arguments
/nix/store/cr196bvbbai01r0w11p1inkzkdrqdx6y-go-1.25.0/share/go/pkg/tool/darwin_arm64/link: running clang failed: exit status 1
/nix/store/zzx6cfl99zknfrj9v7lmrshwzslfjv26-clang-wrapper-19.1.7/bin/clang -arch arm64 -Wl,-S -Wl,-x -o $WORK/b001/exe/main -Qunused-arguments /var/folders/6w/y1r0ppl53_s17_0z4jd0h58m0000gn/T/go-link-3971632966/go.o /var/folders/6w/y1r0ppl53_s17_0z4jd0h58m0000gn/T/go-link-3971632966/000000.o /var/folders/6w/y1r0ppl53_s17_0z4jd0h58m0000gn/T/go-link-3971632966/000001.o /var/folders/6w/y1r0ppl53_s17_0z4jd0h58m0000gn/T/go-link-3971632966/000002.o /var/folders/6w/y1r0ppl53_s17_0z4jd0h58m0000gn/T/go-link-3971632966/000003.o /var/folders/6w/y1r0ppl53_s17_0z4jd0h58m0000gn/T/go-link-3971632966/000004.o /var/folders/6w/y1r0ppl53_s17_0z4jd0h58m0000gn/T/go-link-3971632966/000005.o /var/folders/6w/y1r0ppl53_s17_0z4jd0h58m0000gn/T/go-link-3971632966/000006.o /var/folders/6w/y1r0ppl53_s17_0z4jd0h58m0000gn/T/go-link-3971632966/000007.o /var/folders/6w/y1r0ppl53_s17_0z4jd0h58m0000gn/T/go-link-3971632966/000008.o /var/folders/6w/y1r0ppl53_s17_0z4jd0h58m0000gn/T/go-link-3971632966/000009.o /var/folders/6w/y1r0ppl53_s17_0z4jd0h58m0000gn/T/go-link-3971632966/000010.o /var/folders/6w/y1r0ppl53_s17_0z4jd0h58m0000gn/T/go-link-3971632966/000011.o /var/folders/6w/y1r0ppl53_s17_0z4jd0h58m0000gn/T/go-link-3971632966/000012.o /var/folders/6w/y1r0ppl53_s17_0z4jd0h58m0000gn/T/go-link-3971632966/000013.o /var/folders/6w/y1r0ppl53_s17_0z4jd0h58m0000gn/T/go-link-3971632966/000014.o /var/folders/6w/y1r0ppl53_s17_0z4jd0h58m0000gn/T/go-link-3971632966/000015.o /var/folders/6w/y1r0ppl53_s17_0z4jd0h58m0000gn/T/go-link-3971632966/000016.o /var/folders/6w/y1r0ppl53_s17_0z4jd0h58m0000gn/T/go-link-3971632966/000017.o /var/folders/6w/y1r0ppl53_s17_0z4jd0h58m0000gn/T/go-link-3971632966/000018.o /var/folders/6w/y1r0ppl53_s17_0z4jd0h58m0000gn/T/go-link-3971632966/000019.o /var/folders/6w/y1r0ppl53_s17_0z4jd0h58m0000gn/T/go-link-3971632966/000020.o /var/folders/6w/y1r0ppl53_s17_0z4jd0h58m0000gn/T/go-link-3971632966/000021.o /var/folders/6w/y1r0ppl53_s17_0z4jd0h58m0000gn/T/go-link-3971632966/000022.o -isysroot /nix/store/rhlyld20zdzdi5wghb4b12gw52s9whr9-apple-sdk-11.3/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.3.sdk -framework Security -framework CoreFoundation -isysroot /nix/store/rhlyld20zdzdi5wghb4b12gw52s9whr9-apple-sdk-11.3/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.3.sdk -framework Security -framework CoreFoundation -framework CoreFoundation -lresolv -framework CoreFoundation -framework Security
Undefined symbols for architecture arm64:
  "_SecTrustCopyCertificateChain", referenced from:
      _crypto/x509/internal/macos.x509_SecTrustCopyCertificateChain_trampoline.abi0 in go.o
ld: symbol(s) not found for architecture arm64
clang: error: linker command failed with exit code 1 (use -v to see invocation)

Go Env:

❯ go env
AR='ar'
CC='clang'
CGO_CFLAGS='-isysroot /nix/store/rhlyld20zdzdi5wghb4b12gw52s9whr9-apple-sdk-11.3/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.3.sdk'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-isysroot /nix/store/rhlyld20zdzdi5wghb4b12gw52s9whr9-apple-sdk-11.3/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.3.sdk -framework Security -framework CoreFoundation'
CXX='clang++'
GCCGO='gccgo'
GO111MODULE=''
GOARCH='arm64'
GOARM64='v8.0'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/Users/ooj/Library/Caches/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/Users/ooj/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/6w/y1r0ppl53_s17_0z4jd0h58m0000gn/T/go-build1955079625=/tmp/go-build -gno-record-gcc-switches -fno-common'
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMOD='/Users/ooj/Dev/Projects/go-react-starter/go.mod'
GOMODCACHE='/Users/ooj/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/ooj/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/nix/store/cr196bvbbai01r0w11p1inkzkdrqdx6y-go-1.25.0/share/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/Users/ooj/Library/Application Support/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/nix/store/cr196bvbbai01r0w11p1inkzkdrqdx6y-go-1.25.0/share/go/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.25.0'
GOWORK=''
PKG_CONFIG='pkg-config'

And a minimal example of my code:

package main

import (
    "log"
    "net/http"
    _ "github.com/mattn/go-sqlite3"
)

func main() {
    if err := http.ListenAndServe(":3000", nil); err != nil {
        log.Fatal(err)
    }
}

I've tried the following, but to no avail:

• setting SDKROOT and CGO_CFLAGS, CGO_LDFLAGS
• running under Rosetta
• building with GOARCH=amd64
• disabling CGO (sqlite needs this)
• using -tags netgo,osusergo

Is this related to Go’s internal use of macOS security APIs?
Any guidance or workaround would be appreciated.

[rittneje]

See NixOS/nixpkgs#433688.